The Gauge.notifyRewardAmount function does not have any access restriction. Anyone (an attacker) can frontrun and call this function to add arbitrary (even malicious) gauge reward tokens up to MAX_REWARD_TOKENS = 16.
An attacker is able to frontrun and add 16 fake ERC20 token contracts. Due to the limit of MAX_REWARD_TOKENS, no more gauge reward tokens can be added. Any attempt to add a new token will revert.
This will prevent adding the proper reward tokens due to DoS when calling the Gauge.notifyRewardAmount function and results in DoS when calling the Voter.distribute function.
Consider adding access restriction to the Gauge.notifyRewardAmount function to prevent malicious actors from calling the function or add a whitelist of possible reward tokens.
Lines of code
https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Gauge.sol#L590
Vulnerability details
Impact
The
Gauge.notifyRewardAmount
function does not have any access restriction. Anyone (an attacker) can frontrun and call this function to add arbitrary (even malicious) gauge reward tokens up toMAX_REWARD_TOKENS = 16
.An attacker is able to frontrun and add
16
fake ERC20 token contracts. Due to the limit ofMAX_REWARD_TOKENS
, no more gauge reward tokens can be added. Any attempt to add a new token will revert.This will prevent adding the proper reward tokens due to DoS when calling the
Gauge.notifyRewardAmount
function and results in DoS when calling theVoter.distribute
function.Proof of Concept
Gauge.sol#L590
Tools Used
Manual review
Recommended mitigation steps
Consider adding access restriction to the
Gauge.notifyRewardAmount
function to prevent malicious actors from calling the function or add a whitelist of possible reward tokens.